From 312c1233ddbc0bceb194c5d5976fc97b03725d3c Mon Sep 17 00:00:00 2001
From: Ted Unangst <tedu@cvs.openbsd.org>
Date: Tue, 22 Jan 2019 20:39:52 +0000
Subject: namei can return a null dvp on success. check this before access. ok
 beck

Reported-by: syzbot+cc59412ed8429450a1ae@syzkaller.appspotmail.com
---
 sys/kern/vfs_syscalls.c | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

(limited to 'sys/kern')

diff --git a/sys/kern/vfs_syscalls.c b/sys/kern/vfs_syscalls.c
index 67968025326..717bf06185d 100644
--- a/sys/kern/vfs_syscalls.c
+++ b/sys/kern/vfs_syscalls.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: vfs_syscalls.c,v 1.311 2019/01/21 20:46:52 tedu Exp $	*/
+/*	$OpenBSD: vfs_syscalls.c,v 1.312 2019/01/22 20:39:51 tedu Exp $	*/
 /*	$NetBSD: vfs_syscalls.c,v 1.71 1996/04/23 10:29:02 mycroft Exp $	*/
 
 /*
@@ -922,9 +922,10 @@ sys_unveil(struct proc *p, void *v, register_t *retval)
 	    (VOP_ACCESS(nd.ni_vp, VREAD, p->p_ucred, p) == 0 ||
 	    VOP_ACCESS(nd.ni_vp, VWRITE, p->p_ucred, p) == 0 ||
 	    VOP_ACCESS(nd.ni_vp, VEXEC, p->p_ucred, p) == 0)) ||
-	    VOP_ACCESS(nd.ni_dvp, VREAD, p->p_ucred, p) == 0 ||
+	    (nd.ni_dvp &&
+	    (VOP_ACCESS(nd.ni_dvp, VREAD, p->p_ucred, p) == 0 ||
 	    VOP_ACCESS(nd.ni_dvp, VWRITE, p->p_ucred, p) == 0 ||
-	    VOP_ACCESS(nd.ni_dvp, VEXEC, p->p_ucred, p) == 0);
+	    VOP_ACCESS(nd.ni_dvp, VEXEC, p->p_ucred, p) == 0)));
 
 	/* release lock from namei, but keep ref */
 	if (nd.ni_vp)
-- 
cgit v1.2.3